Database administrators, by the very essence of their job descriptions, are the protectors of their organization’s core data assets. They are tasked with ensuring that key data stores are safeguarded against any type of unauthorized data access. Ensuring that data is protected on a 24 x 7 basis is a complex task. External intrusions and internal employee data thefts combine to make many IT professionals lie awake at night thinking about how they can secure their sensitive database data stores.
Data breaches threaten the survivability of any organization. The financial impact of the breach is not the only issue that affects companies that are victims of unauthorized data access. Bad press, fines, legal costs and loss of customer goodwill must be also factored into the breach’s total impact on the organization.
Significant data breach announcements are publicized on a daily basis. External hackers and rogue employees continuously search for new ways to steal sensitive information. There is one component that is common to most thefts - the ultimate target of that breach is the database data store containing sensitive information.
Protecting Critical Data Assets
Hackers can be classified as intelligent, inquisitive, patient, thorough, driven and often, successful. This combination of traits makes data protection a formidable challenge. Those responsible for data protection have a wealth of hardware and software offerings available to them that assist in the monitoring and protection of their organization’s sensitive data stores. Data security teams are tasked with creating protection strategies based on a combination of procedures, controls and product offerings.
These product offerings range the spectrum, from Anti-Virus and Security Information and Event Monitoring software to state-of-the-art firewalls and perimeter monitoring hardware components. The seemingly endless array of hardware and software protection offerings available allows security units to interweave the products and procedures together to craft protection strategies that are custom tailored to their organization’s security needs.
Database Activity Monitoring
The ultimate target for many breach attempts is the database. It is widely known to be the container for the organization’s most sensitive data assets. In the past, database administrators have combined product vendor supplied security mechanisms with traditional security products to protect their database environments. Although the major database vendors continue to integrate strong security features into their products’ architectures, third-party offerings in this space have been somewhat limited.
A new breed of products loosely grouped together and defined as “Database Activity Monitoring” (DAM) has recently begun to gain traction with the database administration community. Database Activity Monitoring allows organizations to gain visibility into all database activity including local privileged access and sophisticated attacks from within the database itself. Monitoring helps administrators protect their most valuable and sensitive data from external threats and malicious insiders by alerting them to attacks as well as terminating sessions that violate predefined security policies.
Database Activity Monitoring focuses on the evaluation of the SQL statements accessing the data from a security perspective. Much like a parsing engine that checks the syntax of a SQL statement to ensure it is syntactically correct, the software analyzes the statement and compares it to a predefined set of security rules.
Depending on the vendor utilized to provide Database Activity Monitoring, the combination of rules can be as complex or as simple as needed to protect the database. Most offerings allow administrators to combine security rules that consist of:
- Database account executing statement
- Application program sending statement to database for execution
- Host name, IP address of computer accessing the database
- Time of day
- Type of access being performed (SELECT, UPDATE, INSERT DELETE)
- Data Definition Language statements (CREATE, DROP, ALTER)
- Data Control Language (GRANT, REVOKE)
The software then allows the administrator to take preventative action for statements that violate the predefined security policies. Depending on the product used, preventative action could include logging the statement, generating alerts or blocking the statement from execution. Some vendor offerings also allow the administrators to quarantine the user, which prevents them from issuing any additional statements that access the database.
The major offerings also provide out-of-the-box compliance and vulnerability reports. The Database Activity Monitoring software has preprogrammed rules for most major regulatory requirements including SOX, HIPAA and PCI. Vulnerability scans allow administrators to quickly identify potential issues and take the steps necessary to remediate or mitigate their impact.
The general vulnerability scans test for weak passwords, default accounts and other breaches of best practices that may result in a vulnerable database. Scans can be scheduled to run on a regular basis to ensure that no new vulnerabilities are identified.
Remote DBA Experts' (RDX) Database Activity Monitoring Service
As a remote database services provider, RDX understands the important role security plays in our customers’ environments. Our customers have entrusted our organization to help safeguard their critical data stores.
RDX completed an extensive evaluation of various database protection products and has selected to partner with McAfee Security to provide a database security monitoring offering to our customers. A thorough evaluation of a Database Activity Monitoring vendor is critical to any shop desiring to implement Database Activity Monitoring. RDX performed a traditional vendor analysis that assigned weights to evaluation criteria based on their importance to our organization. Because RDX supports a wide range of database products, the product was required to support as many different vendor offerings as possible. Some of the additional criteria RDX used in its evaluation follows:
- Track record as a proven security software provider and presence in market place
- Wide range of SQL statement security monitoring options (type of access, user, time-of-day, etc.)
- Limit the performance impact on the database, transactions and individual SQL statements being analyzed
- Ability to quarantine users, not just block their statement from executing
- Strong vulnerability scanner option that included predefined rules for SOX, HIPAA and PCI
- Robust reporting and alerting features
- Internal security mechanisms that prohibit product tampering and unauthorized access to the Database Activity Monitoring data store
- The ability to virtually patch systems to quickly protect databases from new exploits until the database vendor supplied hard patches become available
- Ease-of-installation and debugging
Database Activity Monitoring Lifecycle
After the tool is purchased, an implementation project is then initiated to tailor the product to meet the organization’s Database Activity Monitoring needs. The implementation can be decomposed into the following tasks: educating the application owners and security teams on the features that the Database Activity Monitoring product provides, needs analysis, customizing the product, defining alert notification and escalation procedures, initial vulnerability scans and ongoing monitoring. RDX’s implementation consists of the following phases:
Customizing the Security Offering
RDX works with each customer to design a security service offering that meets their unique security monitoring needs:
- Detailed discussions are held during integration on the type of data to be protected as well as the customer’s current internal security practices and product sets. The intent is to allow RDX to fully understand each customer’s overall security requirements and current controls.
- RDX’s security services are discussed in-depth with each customer to ensure they fully understand RDX’s data protection strategies.
- RDX works with customers to agree upon the installation and configuration of the security monitoring architecture.
- RDX identifies critical customer software products being utilized to create weekly vulnerability and new threat notifications.
- Criteria used to generate alert event notifications is agreed upon.
- Alert event notification and escalation procedures are finalized.
- Initial and ongoing vulnerability scans are scheduled.
Initial Vulnerability Assessments
The initial vulnerability scan provides a detailed security analysis of the database being protected. Its intent is to identify current vulnerabilities to allow RDX and the customer to quickly address them.
- The scanning process automatically finds databases on the network, determines if the latest patches have been applied, and tests for weak passwords, default accounts, and other common threats — making it easier to demonstrate compliance to auditors and improve protection of critical data assets. The scanner conducts a check of more than 3,500 potential database vulnerabilities.
- Scanning templates for PCI DSS, SOX, HIPAA and other regulations can be utilized, as well as specific reports for various stakeholders such as DBAs, developers and security teams.
- The scanning output provides remediation recommendations for most high-priority vulnerabilities.
- RDX’s database and operating systems experts will present the scanning results to customers and provide valuable insight into the security flaw, the type of exposure or vulnerability it presents. RDX works with each customer to mitigate or completely resolve the vulnerability issue.
- RDX will then schedule the scanner to run on a quarterly basis to ensure that no new vulnerabilities are identified
Database Activity Monitoring
24x7 Database Activity Monitoring is the heart of any Database Activity Monitoring implementation
- A small client-side monitoring sensor is installed on each monitored target.
- The sensors send alert notifications to a central console installed at the customer site.
- RDX works with each customer to create security event identification criteria to alert or terminate sessions based on, but not limited to:
- Application program
- IP or host name
- Time of day
- Type of statement (SELECT, INSERT, DELETE, TRUNCATE, UPDATE etc..)
- The alert notifications are forwarded to RDX’s Proactive Monitoring and Response Center (PMRC) for processing.
- RDX’s PMRC Team customizes the alert event notification and escalation procedures to meet the customer’s security needs.
- RDX will configure self-defense mechanisms to detect product tampering and trigger tampering alerts.
- The PMRC team constantly reviews alerts generated during initial implementation to reduce alerting “noise”. Discussions are held with customer to reduce unwarranted notifications.
- RDX ensures that all monitoring components are functioning as expected and performs system upgrades to ensure that all new features are quickly leveraged by each customer.
Ongoing Security Services
The intent is to provide customers with an ongoing service offering that focuses on the protection of sensitive database data stores:
- Security Analysis Services
- Configure custom Database Activity Monitoring Reports
- Work with customer to add or change database specific alert event notification criteria
- New Threat Analysis - Identify customer IT product sets during integration and create new vulnerability notifications that may affect those products
- DBAs and OS engineers will provide detailed insight to alert notifications when requested
- Scan for new databases added to network
- Perform quarterly vulnerability scans to ensure that recent changes have not increased exposure to security threats
- Database and OS patching services
- Upgrade database and operating system to new release
- Apply database and operating system security patches
- Provide advice to customer personnel on patching and upgrades
Protecting against unauthorized data access must be an ongoing process. RDX is acutely aware that those individuals desiring to exploit data stored in computer systems for personal means are constantly changing and improving their data access strategies. The fluid nature of external and internal attacks requires DBA units to leverage time-tested database security best practices but also actively seek out and implement hardware and software products that can be interwoven into an effective database protection strategy. One of those key tools in your DBA toolbox is the database activity monitor. If you have sensitive data, you can choose to implement the product on your own or take advantage of our services.